pam_mount, processes, users

Shawn Iverson shawn at nccsc.k12.in.us
Wed Sep 12 00:31:59 BST 2007


Hello,
 
I am having to work around quite a few issues not necessarily related to
Edubuntu specifically.  I am wondering if someone could have a look at
what I am doing and give me some input.  I have two terminal servers
serving four classrooms at a ratio of 60 PCs per server with
authentication against Active Directory and shares mounted via
pam_mount.  I am plannning on reducing that ratio to 30 by freeing up a
couple more servers.  Fortunately, the servers are quite powerful, so
we've been doing okay.

Please note that each of my scripts live in /usr/local/sbin, have
root:root, and are 750, just to be safe.
 
Problem 1: Can't tell who is logged in because users do not show up
locally
 
Solution: listusers.sh
#!/bin/bash
echo `ps -eo user:50,cmd | egrep \(gnome-panel\|bash\|sshd\) | awk '{
print $1 }' | sort | uniq`
############ 

Problem 2: pam_mount problems with shares not unmounting, and logout
scripts in Edubuntu are ignored.
 
auth.log reveals:
Sep 10 19:20:12 edubuntuts2 su[15529]: pam_mount(pam_mount.c:332) error
executing /usr/sbin/pmvarrun
Sep 10 19:20:12 edubuntuts2 su[15555]: pam_mount(misc.c:346) error
setting uid to 0

Solution: cleanupsmb.sh set to execute once an hour
#!/bin/bash
# Pam_mount Umount Script
# 9/4/07
# Version 0.1

TMPDIR=/tmp/cleanupsmb

MOUNTPOINT=".HomeFolder"
# Mountpoints are under /home/<domain>/<user>/$MOUNTPOINT

# Make a temp folder
if [ ! -e $TMPDIR ]; then mkdir $TMPDIR; fi

# Snapshot auth.log for analysis
cp -f /var/log/auth.log $TMPDIR/authtemp.log

# Call listusers.sh for current users
ACTIVEUSERS=`listusers.sh`

ACTIVESHARES=`mount | grep $MOUNTPOINT | awk -F ' ' '{print $3}'`

# Does a share have a matching user?
for a in $ACTIVESHARES; do
  SHAREUSER=`echo $a | awk -F/ '{ print $4 }'`
  if [ -z `echo $ACTIVEUSERS | egrep -o \(^\|\ \)$SHAREUSER\(\ \|$\)` ];
then
    # Is a login occurring?
    if [ -z `diff /var/log/auth.log $TMPDIR/authtemp.log | egrep -o -m 1
[=\'\ ]$SHAREUSER\([\'\ ]\|$\)` ]; then
      umount $a
      logger -p local0.info "cleanupsmb.sh:User $SHAREUSER unmounted,
return code=$?"
    else
    logger -p local0.info "cleanupsmb.sh:User $a is logging
in...skipping umount."
    fi
  fi
done

rm -rf $TMPDIR 
#####################

Problem 3: Stale processes are left over when users log out, and logout
scripts in Edubuntu are ignored.

Solution: cleanupstale.sh set to execute once an hour, offset from other
scripts
#!/bin/bash
# Cleanup and check for ALL stale processes
# 9/10/07
# Version 0.1
 
TMPDIR=/tmp/cleanupstale
 
if [ ! -e $TMPDIR ]; then mkdir $TMPDIR; fi
cp -f /var/log/auth.log $TMPDIR/authtemp.log
 
# Get a list of users *potentially* logged in
ACTIVEUSERS=`listusers.sh`
 
# Get a list of all user processes and grab the users
ALLUSERS=`ps --no-headers -eo user k user | uniq`
 
# Now get accounts with UID < 1000 and nobody
SYSTEMUSERS=`cat /etc/passwd | awk -F: '$3 < 1000 { print $1 }'`\ nobody

for a in $ALLUSERS; do
  if [ -z `echo $SYSTEMUSERS | egrep -o \(^\|\ \)$a\(\ \|$\)` ]; then
  if [ -z `echo $ACTIVEUSERS | egrep -o \(^\|\ \)$a\(\ \|$\)` ]; then
  if [ -z `diff /var/log/auth.log $TMPDIR/authtemp.log | egrep -o -m 1
[=\'\ ]$a\([\'\ ]\|$\)` ]; then
      # Kill the stale processes
      pkill -u $a
      logger -p local0.info "cleanupstale.sh:Stale processes found for
user $a.  All processes killed."
  else
      logger -p local0.info "cleanupstale.sh:User $a is logging
in...skipping cleanup."
  fi
  fi
  fi
done

rm -rf $TMPDIR

###########################
 
Problem 4:  Users in Active Directory aren't local to the server, and
users need permission to mount removable devices such as usb drives.

Solution: userprivs.sh scheduled once per night
#!/bin/bash
# Pull AD Users into appropriate *nix groups for local privileges
# 08/07/2007
# Version 0.1

ADUSERS=`wbinfo -u`
if [ $? -ne 0 ]; then
  logger -p local0.info "userprivs.sh: Unable to query winbind for
users!"
  exit
fi
ADUSERS=`echo $ADUSERS | sed -e 's/\ /,/g'`

# Parse groups file and grant fuse privileges to all users
# Capture the fuse:x:###: section (This will discard local users)
FUSEGROUPLN=`grep fuse /etc/group`
FUSEGROUPBASE=`echo $FUSEGROUPLN | egrep -o 'fuse:x:[0-9]+:'`

# Inject ADUSERS into the fuse group
sed -i -e s/$FUSEGROUPLN/$FUSEGROUPBASE$ADUSERS/ /etc/group
#####################################

Problem 5: Sometimes the gnome-panel runs out of control eating up the
CPU, and the users are not actually logged in:

Top reveals:

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
23162 bbogue    25   0 38852  15m  10m R  101  0.4 543:08.11 gnome-panel
30475 rwilliam  25   0 38788  15m  10m R   99  0.4 532:15.44 gnome-panel
16967 root      15   0  2484 1172  812 R    2  0.0   0:00.02 top

Solution: cleanupgnome.sh, set to run once an hour, offset
#!/bin/bash
# Check for orphan/runaway gnome-panels, and kill them to protect the
server
# Version 0.1

# Minimum threshold for processes running under a user running gnome
# A user with not enough processes is assumed defunct, and the
gnome-panel
# can be killed.
PTHRESHOLD=5

TMPDIR=/tmp/cleanupgnome

if [ ! -e $TMPDIR ]; then mkdir $TMPDIR; fi
cp -f /var/log/auth.log $TMPDIR/authtemp.log

# Get a list of users running gnome-panel and *possibly* logged in
GNOMEUSERS=`ps -eo user:50,cmd | grep gnome-panel | awk '{ print $1 }'`

for a in $GNOMEUSERS; do
  # How many processes does each user have?
  PCOUNT=`ps --no-headers -ouser -U $a | egrep -c '.*'`
  if [ "$PCOUNT" -le "$PTHRESHOLD" ]; then
    # Is the user logging in?
     if [ -z `diff /var/log/auth.log $TMPDIR/authtemp.log | egrep -o -m
1 [=\'\ ]$a\([\'\ ]\|$\)` ]; then
      pkill $a gnome-panel
      logger -p local0.info "cleanupgnome.sh:Defunct gnome-panel found
for user $a.  Process killed. return code=$?"
    else
    logger -p local0.info "cleanupgnome.sh:User $a is logging
in...skipping check."
    fi
  fi
done


rm -rf $TMPDIR
###########################3

--
This message was scanned by ESVA and is believed to be clean.




More information about the edubuntu-users mailing list